Self Hosting 4 min read

Self-Hosting Vaultwarden: A Lightweight Bitwarden Alternative

Suresh Suresh
Self-Hosting Vaultwarden: A Lightweight Bitwarden Alternative

In today’s digital age, a robust password manager is non-negotiable. While the official Bitwarden cloud service is excellent, many self-hosting enthusiasts prefer to keep their most sensitive data entirely on their own infrastructure.

If you’ve looked into self-hosting the official Bitwarden server, you might have noticed it requires significant system resources (often 3GB+ of RAM) and a complex setup involving multiple Docker containers.

Enter Vaultwarden.

What is Vaultwarden?

Vaultwarden is an unofficial, highly optimized implementation of the Bitwarden server API, written entirely in Rust. It is fully compatible with all official Bitwarden clients, including browser extensions, desktop applications, and mobile apps.

Key Benefits of Vaultwarden

  1. Incredibly Lightweight: While the official server demands heavy resources, Vaultwarden can comfortably run on under 50 MB of RAM. It’s perfect for low-power hardware like a Raspberry Pi or a cheap VPS.
  2. Premium Features Unlocked: Vaultwarden includes features that are normally restricted to premium Bitwarden accounts, such as TOTP (Two-Factor Authentication) code generation, file attachments, and organization sharing.
  3. Single Container Setup: It runs as a single, easily manageable Docker container with a default SQLite database.
  4. Complete Data Ownership: Your passwords, notes, and secure files never leave the server you control.

Prerequisites

Before we start the installation, ensure you have:

  • A Linux server (Ubuntu/Debian recommended).
  • Docker and Docker Compose installed.
  • A registered domain name.
  • A Reverse Proxy (like Nginx Proxy Manager, Caddy, or Traefik) configured. HTTPS is absolutely required for the Bitwarden web vault and browser extensions to function due to Web Crypto API requirements.

Step 1: Create the Docker Compose File

First, create a directory to house your Vaultwarden configuration and database:

mkdir -p ~/vaultwarden
cd ~/vaultwarden

Next, create a docker-compose.yml file:

nano docker-compose.yml

Paste the following configuration into the file:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true # Enables live sync for clients
      - SIGNUPS_ALLOWED=true   # Allows new users to register
    volumes:
      - ./vw-data:/data
    ports:
      - "80:80"

Configuration Breakdown

  • WEBSOCKET_ENABLED=true: Enables WebSockets, allowing your mobile app and browser extensions to sync instantly when a password is changed elsewhere.
  • SIGNUPS_ALLOWED=true: We leave this true initially so you can create your admin account. Crucially, you must change this to false after creating your account to prevent strangers from registering on your server.
  • volumes: Maps the ./vw-data folder on your host machine to store the SQLite database and attachments persistently.

Save and exit the file.

Step 2: Start the Container

With the configuration ready, start Vaultwarden:

docker compose up -d

Docker will pull the lightweight Rust image and start your server.

Step 3: Configure Your Reverse Proxy (Crucial Step)

As mentioned earlier, Vaultwarden requires a secure HTTPS connection. If you try to access the web vault via a plain HTTP IP address, the login and encryption mechanisms will fail to load.

You must point your domain (e.g., passwords.yourdomain.com) to your server’s IP and configure your reverse proxy to route traffic to port 80 of your Vaultwarden container while securing it with an SSL certificate (like Let’s Encrypt).

Step 4: Create Your Account and Lock Down the Server

  1. Navigate to your secure domain (https://passwords.yourdomain.com).
  2. Click Create Account and set up your master password.
  3. Once you have successfully logged in and verified everything is working, it is time to lock down the server.

Open your docker-compose.yml file again and change SIGNUPS_ALLOWED to false:

    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false

Restart the container to apply the changes:

docker compose down
docker compose up -d

Congratulations! Your self-hosted Vaultwarden server is now secure. Nobody else can register an account, but you can continue to use and invite users via the admin panel if configured.

Step 5: Connect Your Bitwarden Clients

To use your new server on your phone or browser:

  1. Download the official Bitwarden app or extension.
  2. On the login screen, look for a gear icon or a setting labeled “Logging in to…” or “Self-hosted”.
  3. Enter your server URL (https://passwords.yourdomain.com).
  4. Log in using the credentials you just created.

Don’t Forget Backups!

When you self-host your passwords, you are entirely responsible for backups. If your server dies and you lose the ./vw-data folder, your passwords are gone forever. There is no password reset feature for the master database. Set up automated, encrypted backups of your vw-data folder to a secure off-site location!

Enjoy your lightning-fast, private password manager!

Suresh

Written by Suresh

A passionate technology enthusiast, blogger, and self-taught developer. I write about Linux, Open Source, Cloud Computing, and emerging technologies to help students and beginners learn tech for free.

#vaultwarden#bitwarden#self-hosting#docker#security#passwords

Discussion

Loading comments...